Safeguard
Application Security

The Acquisition Pattern Behind AppSec's Runtime Visibilit...

From Cider Security to the $32B Google-Wiz deal, AppSec acquirers keep paying for one thing: runtime visibility into what code actually does in production.

Safeguard Research Team
Research
7 min read

SAN FRANCISCO — Over the past four years, the biggest checks written in cybersecurity have gone almost exclusively to companies that can answer one question a static scanner never could: what is actually running in production right now, and can an attacker reach it? That question — not a new CVE database, not a faster SAST engine — is what has driven a run of application and cloud security acquisitions from Palo Alto Networks, CrowdStrike, Cisco, Akamai, SentinelOne, Harness, and, most dramatically, Google.

The pattern is consistent enough to name: legacy AppSec vendors and platform consolidators are paying nine and ten figures not for better code scanning, but for runtime visibility — the ability to see what code is deployed, what it talks to, what data it touches, and whether a theoretical vulnerability is actually exploitable in the running system. It is a land grab, and the deal log shows exactly how it has unfolded.

The deal log

The current cycle traces back to December 2022, when Palo Alto Networks completed its acquisition of Cider Security, an Israeli application security and software supply chain startup, in a deal reported at roughly $195 million in cash plus assumed equity (some reports put the headline figure closer to $300 million). Cider's pipeline-security technology was folded into Prisma Cloud to support what Palo Alto Networks began calling a "code to cloud" approach.

Less than a year later, Palo Alto Networks went back to the well, completing its acquisition of Dig Security in December 2023 for a price reported between $350 million and $400 million. Dig's data security posture management (DSPM) technology added near-real-time visibility into where sensitive data actually lives and moves across a customer's cloud estate — a runtime concern, not a code-review one.

CrowdStrike moved in the same window. In September 2023 it announced the acquisition of Bionic, an application security posture management (ASPM) pioneer, for a reported $350 million. CrowdStrike's own announcement described the goal explicitly: to build "the industry's most complete code-to-runtime cybersecurity platform" by pairing Bionic's application mapping with CrowdStrike's existing cloud workload protection.

Cisco went a different route into the same territory. In December 2023 it announced its intent to acquire Isovalent, the company behind the eBPF-based Cilium networking project and its Tetragon runtime security engine. eBPF hooks directly into the Linux kernel, giving a security tool live, low-level observability into process behavior, network connections, and system calls as they happen — the deepest form of runtime visibility available on a host. Cisco completed the deal in 2024.

Weeks into 2024, SentinelOne announced its acquisition of PingSafe, a cloud-native application protection platform (CNAPP) vendor, closing the deal in February 2024 for undisclosed cash-and-stock terms. A few months later, Akamai announced it would acquire Noname Security, an API security company, for approximately $450 million, closing that transaction in June 2024. Noname's technology discovers and monitors API traffic in live environments — visibility that only exists once an API is actually deployed and being called.

2025 brought two more data points. In February, Harness and Traceable announced a merger — structured as a combination rather than a straight acquisition — bringing Traceable's API security platform, built on OpenTelemetry distributed tracing, into Harness's software delivery platform. The combined company reported roughly $250 million in expected annualized revenue and a valuation near $5 billion. Traceable's founder, Jyoti Bansal, had previously built and sold AppDynamics — itself a runtime application-performance-monitoring company — to Cisco for $3.7 billion, a pedigree that underscores how much of today's "AppSec" tooling has its roots in production observability rather than static analysis.

Then, in April 2025, Palo Alto Networks announced its acquisition of Protect AI, an AI/ML security company, closing the deal that July and folding it into a new Prisma AIRS platform aimed at securing models and AI applications as they run.

And then there is the deal that dwarfs all of them. Google announced a definitive agreement to acquire Wiz for $32 billion in March 2025 — the largest acquisition in Google's history and the largest pure cybersecurity transaction on record. After roughly a year of antitrust review across the United States, the European Commission, and several other jurisdictions, the deal closed in March 2026. Wiz built its business on agentless cloud visibility — scanning cloud environments to show, in near real time, what is actually deployed, misconfigured, and exposed. Google's stated rationale ties the purchase to two trends it wants to own: cloud security and multicloud operations in the AI era.

Why runtime, why now

Line up the targets and a pattern of capability, not just capital, emerges. Bionic mapped applications as they actually ran in production. Isovalent watched kernel-level behavior in real time. Noname and Traceable instrumented live API traffic. Dig tracked data as it moved through cloud services. PingSafe and Wiz both built cloud-wide visibility that only exists once workloads are deployed. None of these companies' core value proposition was "we find more bugs in your source code." All of them answered some version of: what is your environment actually doing right now, and where is it exposed.

That shift reflects a well-documented problem in application security: static scanners and dependency checkers routinely flag thousands of theoretical vulnerabilities, the overwhelming majority of which are never reachable or exploitable in the running application. Security teams have spent years drowning in that backlog. The acquirers in this list — endpoint and cloud security platforms with large existing customer bases — are the ones best positioned to sell a story where "we already protect your infrastructure, and now we can also tell you which of your ten thousand open findings actually matter in production." That combination is the strategic logic behind nearly every deal on this list, from Cider's pipeline context to Wiz's live cloud graph.

It's also a platform-consolidation story. Buyers like Palo Alto Networks, CrowdStrike, Cisco, Akamai, and SentinelOne are each trying to avoid losing customers to a point solution that stitches together code, cloud, and runtime context on its own. Rather than build that stitching in-house on a multi-year roadmap, they have consistently chosen to buy teams that had already built it. The result, deal by deal, is a smaller number of platforms each claiming to cover the full path from source commit to running workload.

What it means for security teams

For CISOs and AppSec leaders, the immediate effect is more vendor consolidation to navigate: tools bought as best-of-breed point products are being absorbed into broader platforms, with the usual integration timelines, licensing changes, and roadmap uncertainty that come with any acquisition. The longer-term effect is a market that increasingly treats "runtime context" as table stakes rather than a differentiator. A code scanner that cannot say whether a finding is reachable in a live, deployed service is competing against platforms that can.

That raises the practical question every security team now has to answer, regardless of which acquired platform they end up standardizing on: how do you connect what you know about your code and your dependencies to what is actually deployed and reachable, without waiting for your incumbent vendor's multi-year integration roadmap to catch up?

How Safeguard helps

Safeguard was built around the same premise driving this acquisition wave: software supply chain security only works when it is grounded in what is actually running, not just what is committed to a repository. Safeguard connects artifact provenance, SBOM data, and dependency analysis to the deployed reality of your environment, so vulnerability and exposure findings are prioritized by whether the affected component is actually present, loaded, and reachable in production — not just referenced somewhere in a manifest.

That means security and engineering teams get the benefit the acquirers above are each racing to bolt onto their platforms — runtime-informed prioritization — without having to wait for a point-solution acquisition to be integrated, re-licensed, and re-platformed into someone else's suite. For organizations watching this consolidation wave and wondering whether their current AppSec stack will still make sense in eighteen months, Safeguard's approach is to make the code-to-runtime connection a native part of the supply chain security workflow now, independent of who acquires whom next.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.